On 07/16/2014 06:34 PM, John Devitofranceschi wrote: > host/*@MYREALM.COM x */*1 at MYREALM.COM This works for me in 1.11, 1.12, and the master branch. So, your expectation isn't unreasonable, but I'm not sure why it doesn't work for you. Note that kadmind will not reread its ACL file until it is restarted.